Score: 0.8 (>= 0.8) Infected Target: 192.168.1.130 Infector List: 209.240.39.216 Egg Source List: 209.240.39.216 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:27:05.145 PDT Gen. Time: 06/20/2011 13:27:13.431 PDT INBOUND SCAN EXPLOIT 209.240.39.216 (3) (13:27:05.145 PDT) event=1:22003081 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-3947 (13:27:05.270 PDT) ------------------------- event=1:22003082 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-3947 (13:27:05.270 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 139<-3947 (13:27:05.145 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 209.240.39.216 (13:27:13.431 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 9988<-4013 (13:27:13.431 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308601625.145 1308601625.146 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.130' ============================== SEPARATOR ================================ Score: 0.8 (>= 0.8) Infected Target: 192.168.1.130 Infector List: 209.240.39.216 Egg Source List: 209.240.39.216 C & C List: Peer Coord. List: Resource List: Observed Start: 06/20/2011 13:27:05.145 PDT Gen. Time: 06/20/2011 13:31:50.097 PDT INBOUND SCAN EXPLOIT 209.240.39.216 (3) (13:27:05.145 PDT) event=1:22003081 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-3947 (13:27:05.270 PDT) ------------------------- event=1:22003082 {tcp} E2[rb] ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040), [] MAC_Dst: 00:30:48:30:03:AE 139<-3947 (13:27:05.270 PDT) ------------------------- event=1:2299913 {tcp} E2[rb] ET SHELLCODE x86 0x90 unicode NOOP, [] MAC_Dst: 00:30:48:30:03:AE 139<-3947 (13:27:05.145 PDT) EXPLOIT MALWARE DNS EGG DOWNLOAD 209.240.39.216 (2) (13:27:13.431 PDT) event=1:2000419 {tcp} E3[rb] ET POLICY PE EXE or DLL Windows file download, [] MAC_Src: 00:21:1C:EE:14:00 9988<-4013 (13:27:13.431 PDT) ------------------------- event=1:3300007 {tcp} E3[rb] BotHunter Malware Windows executable (PE) sent from remote host, [] MAC_Src: 00:21:1C:EE:14:00 9988<-4013 (13:27:13.431 PDT) C and C TRAFFIC C and C TRAFFIC (RBN) C and C DNS CHECK-IN OUTBOUND SKYPE CANDIDATE OUTBOUND SCAN (spp) OUTBOUND SCAN ATTACK PREP PEER COORDINATION DECLARE BOT tcpslice 1308601625.145 1308601625.146 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.130' ============================== SEPARATOR ================================